Privacy Policy HCC
1.- RIGHT TO INFORMATION
In accordance with the provisions of article 11 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD) and article 13 of the General Data Protection Regulation 2016/679, we inform you:
1.1.- Identification of data controllers:
The data provided to us through this portal may be processed by the following data controllers:
LUTX CORPORACIÓ, SL. With address at Calle Consell de Cent n. 357, 2º, Barcelona.
When you contact any of our hotels, they will also be considered data controllers. The hotel that receives the reservation. Hotels, HCC St. Moritz, HCC Regente, HCC Montblanc, HCC Taber, all of them with address for notifications at Calle Consell de Cent n. 357, 2º
The corporate data protection delegate is CIPDI tratamiento de la información SL, with address at c/ Sant Agustí n1 1º 1º, Mataró (08301). Email dpd@cipdi.com
1.2.- Purposes of processing, legal basis, and retention period.
Purpose Legal basis Conservation.
Provision of services Contractual relationship 5 years.
Sending of commercial information Consent and legal authorization (art. 21.2 of the LSSI) Until consent is revoked or rights are exercised.
Employee management - Contractual relationship and legal authorization - 5 years
CVs - Contractual relationship and consent - 1 year
CCTV - Legitimate interest. Maintaining security within the hotel - 30 days
1.3.- Recipient categories.
To fulfill the aforementioned purposes, the following may have access to your data:
Staff duly authorized by the data controller's management.
The necessary providers to fulfill your request, including but not limited to:
- Advisors.
- Financial entities.
- Software maintenance companies
- Hardware maintenance companies
- Advertising and marketing companies
- Accommodation reservation portals
- Auxiliary services
Public administration within the scope of their competences. In accordance with the provisions of Royal Decree 933/2021, of October 26, which establishes the obligations of documentary registration and information of natural or legal persons carrying out lodging and motor vehicle rental activities, the data collected may be accessible to the police and public authorities in the exercise of their respective competencies in the field of crime prevention, detection, and investigation assigned to them.
The hotels of the group listed in section 1.1 of this document.
1.4.- International data transfers.
To carry out their functions, the data controller may deposit data in:
a.- Google systems. The data controller has signed an agreement with Google, in accordance with the resolution of the Spanish Data Protection Authority of June 22, 2017. You can obtain more information about G-Suite privacy policies by visiting the following links:
https://policies.google.com/privacy?hl=es / https://support.google.com/a/answer/2888485?hl=es
b.- Microsoft. You can obtain more information about their privacy policy at: https://privacy.microsoft.com/es-ES/
With the aforementioned companies, data protection clauses adopted by the Commission have been signed in accordance with the provisions of article 46 of Regulation (EU) 2016/649 General Data Protection Regulation (GDPR).
1.5.- Rights as data subject
Right of access. Regulated in article 15 of the GDPR 2016/679 of April 27, 2016. It is about asking the data controller to obtain all the information they have about their personal data and communications that have been made, or are planned to be made.
Right to rectification. Regulated in article 16 of the GDPR. It is about asking the data controller to change the content of the information about the person and their data, following the instructions of the information owner.
Right to erasure. Regulated in article 17 of the GDPR 2016/679. It consists of asking the data controller to delete any information about the data subject. Erasure involves blocking all the data and keeping it available to the public administrations for the period required for the right to exercise legal actions to prescribe.
Right to restrict processing. Regulated in article 18 of the GDPR 2016/679 of April 27, 2016. It is about asking the data controller to restrict the processing of their data when one of the following conditions is met:
i.- personal data are inaccurate;
ii.- processing is unlawful;
iii.- the data controller no longer needs to process the data;
iv.- When the reasons for stopping processing the data alleged by the data subject prevail over those of the data controller.
The right to data portability. It is in article 20 of the GDPR 2016/679 of April 27, 2016. It is about asking the data controller to provide the personal data of the information owner in a structured, commonly used, machine-readable format, in order to transmit them to another data controller when the processing is done by automated means and is based on express consent.
Right to object. Regulated in article 21 of the GDPR 2016/679 of April 27, 2016. It is about asking the data controller to process the data following certain instructions made by the information owner.
Right to withdraw consent. Regulated in article 13.2.c) of the GDPR 2016/679 of April 27, 2016. It is an order given by the data subject to the data controller notifying them that they withdraw the consent given for processing their data.
Right not to be subject to automated individual decisions. It is the request to the data controller that all decisions that have legal effects are not taken exclusively by machines.
To exercise the above rights, you can do so in writing to the data controller's addresses, or send an email to the address dades@gruplutx.cat with the subject "DATA PROTECTION" and attaching a photocopy of your ID card, NIE, or passport in that email.
1.6.- Right to lodge a complaint.
You can contact the internal compliance officer using the whistleblowing channel you will find on the website (https://denuncias.cipdi.com/hcchotels/es/)
The competent authority to oversee the correct application of the regulations on information processing is the Spanish Data Protection Authority, located at Calle Jorge Juan n. 6, Madrid.
1.7.- Data subject obligations.
The data subject must provide truthful and updated information in all data collection processes, being solely responsible for breaching this obligation.
In the data collection forms, the data that must be provided are marked, depending on the request made by the data subject. Failure to provide this data may result in the impossibility of participating in the activity or providing the requested service.
1.8.- Profile creation
Not done.
2. USER CONSENT
It is understood that the user accepts the established conditions if they click the 'ACCEPT' button found on all data collection forms, or if they send a message by email.
Personal data are stored in the company's general administration database, in any case, guaranteeing the technical and organizational measures to preserve the integrity and security of the information processed.
3. SECURITY
The general database has the necessary security document and all the technical means at our disposal have been established to prevent loss, misuse, alteration, unauthorized access, and theft of the data you provide us. The processing of personal data is in compliance with the regulations established in Organic Law 3/2018 on the protection of data and guarantee of digital rights and Regulation (EU) 2016/679 of the European Parliament and Council, of April 27, 2016.
4. USE OF IP ADDRESSES
To facilitate the search for resources that we believe may be of interest to you, you may find links to other websites on this website.
This privacy policy applies only to this website. The data controller does not guarantee compliance with this policy on other websites or take responsibility for access through links on this website.